Security breach – an update

Although the passwords were hashed/salted, they were unfortunately not secured to a level which would prevent them being cracked with modern approaches.

The announcement went up on 21st June and I've only just seen it.

Surely it would have been easier to send PM's as opposed to a tiny announcement inside the actual forums?



Why not?

Answers?

Why did this happen?

Is it down to smart hackers or the tardiness of TSR?

The announcement went up on 21st June and I've only just seen it.

Surely it would have been easier to send PM's as opposed to a tiny announcement inside the actual forums?



Why not?

Answers?

Why did this happen?

Is it down to smart hackers or the tardiness of TSR?

There was a very prominent announcement up for several days. Have you seen the details in the staff blog? Those may be helpful: http://staffblog.thestudentroom.co.uk/the-student-room-%E2%80%93-security-breach/

Otherwise, admin don't work at weekends but you'll hopefully get a reply to any unanswered questions that you may have early next week.

There is a big message at the top of every thread.

As to why the passwords were not secured to an extent that modern approaches would not be able to crack them - then TSR used the default method provided by vbulletin. Why they haven't used a more secure approach I don't know. My personal view is that TSR hadn't upgraded the level provided by vbulletin as their dev time is limited, and they spent the time upgrading other parts of the site / fixing other bugs instead of testing how secure the default password storage method was, as they assumed the method was fit for purpose, given they are not using the vbulletin software to do anything it wasn't designed for.

Top of the thread isn't good enough, there are other things there that I don't give two sh!ts about. If I get my bank account, Paypal, etc hacked then it's not enough.

And is the highlighted bit down to incompetence?

Quick reply. Illusionary, you're the best mod.

My main questions are why does TSR send automatic PM's for things like Share Trading Competitions but didn't send any for this? If this is as serious as it's coming across then I am questioning the decision to put an announcement up over sending PM's. We would have all been notified the second we signed in had PM's been used.

There are so many stickies and announcements that I barely even look at what's there. You may have noticed I spend far too much time browsing this website than I'm proud to admit and even I didn't notice it. I had no email notification either, although I do get thread update emails (much less than before as I've posted a thread about them before.)

I'm not knocking the staff, you all do a great job but I used the same password for at least 15 sites, I do find it a bit odd that PM's weren't used.

This is a pain in the arse.

It is a big banner though. Where would you suggest they put it? They did send out an e-mail as well. Just as if paypal got hacked, then they would send out an e-mail (and possibly a text / letter if they held those details, but TSR only holds your e-mail).

Due to my incompetence? No, I just don't work for TSR - and have as much knowledge of its running as any other user. Their incompetence? I gave why I consider, if you think different fair enough.

I think the share trading PM that you mentioned is from another member, not admin. I can't now show you how the original announcement looked, but it was very prominent. I know that sending PMs was suggested and considered, but I'm not personally in a position to fully explain why this wasn't done - it was an admin, rather than moderation team, decision. As rmhumphries mentions above, an email was sent out to all members with details of this.

The banner isn't enough, I'm on here near enough every day. I had no email, I checked my junk before posting this thread just to make sure I didn't make a tit out of myself. If you can send PM's that pop up on your screen every time you sign in, for things like Share Trading Competitions, then I find it very strange you couldn't do the same for something which is actually dangerous and a risk to every member that posts on here.

And no, not your incompetence personally, I apologise most sincerely if it sounded like an attack on you. Like I say, I think the TSR team do a great job but considering I browse here frequently and didn't notice the announcement I think should it happen in future TSR really needs to do more than just sticky a thread or an announcement. It's not enough.

The announcement went up on 21st June and I've only just seen it.

Surely it would have been easier to send PM's as opposed to a tiny announcement inside the actual forums?

As to why the passwords were not secured to an extent that modern approaches would not be able to crack them - then TSR used the default method provided by vbulletin. Why they haven't used a more secure approach I don't know. My personal view is that TSR hadn't upgraded the level provided by vbulletin as their dev time is limited, and they spent the time upgrading other parts of the site / fixing other bugs instead of testing how secure the default password storage method was, as they assumed the method was fit for purpose, given they are not using the vbulletin software to do anything it wasn't designed for.